All posts by egoepfert

Recently I’ve been building my first ACI installation. We’re doing it on our own and I’m reaching out to TAC and a key friend for help if I get stuck on anything that googling doesn’t solve. It’s been going pretty well actually and have only run into a few snags (which I will document here in other posts).

Our plan for this first build is to make a few critical things work properly and then blow the whole thing away and rebuild it using as much scripting as possible. It’s a great way to learn new tech.

One of our final tasks was to get authentication working and our systems team would love to move as many things to SSO/SAML as possible, so that was the thing to implement on the ACI admin pages. Here’s the problem we’ve had: you need to return a specific value for “CiscoAVPair” and man, it’s hard to find documentation that isn’t all screwed up on the format, because it matters…A LOT.

First off the variable name is “CiscoAVPair” (no quotes). NOT “ciscoAVpair” or “CiscoAVpair” or “CiscoAvPair” or “Cisco-avpair” I’ve found documents (yes, from Cisco) with all those different capitalization.

Second thing is the value of the string:

shell:domains=all/admin/

No spaces and make sure to get that slash in at the end. “all” is the security domain and “admin” is the role.

I’m just about to finish implementing a NAC solution using ClearPass to do 802.1x and ran into some challenges with our current infrastructure design…so I have to change it.

Basically the problem is that to do dynamic vlan assignment you can either have a standardized vlan structure for your access switches (we don’t), or you have to build out a crazy complex profile logic to accommodate the existing vlan structure.

I figure for the ease of support later it’s probably better to standardize the access vlans across the organization. That means that I’d have to touch every access switch in the org. There’s no way I’m doing that manually.

Typically I would do this in VB because it’s what I’m used to but that language is pretty old and it’d be better if I knew Python, so I decided to take this opportunity to learn Python and do it that way instead.

Man am I glad I did.

The script I wrote takes the whole config file and parses it for the needed information. Because we actually had a standard subnet scheme this was a lot easier because I could work off of that to identify the parts of the config that needed to be changed. I pulled all that information out and automatically ran it through a template config I made (you know…a STANDARD!) to spit out the config changes that needed to be made on every switch.

Turns out I wasn’t done there because somebody back before I got here decided to use every access switch as a DHCP server. Ugh. We’re not leaving that in there. I mean, if I’m doing this already I might as well fix that too.

So I added some functions to dump out the networks that we needed to create DHCP scopes and client reservations for in our windows DHCP servers. One of our systems guys used that to create a powershell script to automate the scope creation.

I think I’m in love with Python. It’s pretty easy to read, the tab/space formatting is forced on you (not that I needed it, I can’t stand reading code that’s not formatted properly), and it’s FAST. OMG, so much faster than VB. File manipulation is nice and smooth and it only took me a little bit of time to wrap my head around the dynamic variable types and the output implications that go along with it.

Some personal events that have happened over the last year have already got me thinking about a really cool side project and Python is clearly the tool for the job.

Now I have to decide how much to focus on being a better coder vs. completing that pesky CCIE lab.

We’re finally kicking off a project to get the 1000v in place. I’m super excited to get to work on this tech. I had been to training for the install and config a long time ago, so I’ve pretty much forgotten all of that by now, but this time I actually get to do it and learn from my mistakes instead of doing a lab out of a book 🙂

First things first: your 1010’s will not come up if they can’t talk to each other, so make sure the interfaces are up and configured.

Second, there’s a lot of info on how to upgrade the appliance software, and how to install VEMs (the virtual switches) into VMware, but that assumes that your VSM is up and running. I spent a lot of time confused about where to pull the software for the appliance VSM. It’s in the zip that you pull for the VEM image, so that’s helpful. But now you get to decide on which image to use, because there are 3 in the same directory (1 ISO and 2 OVA imagaes). One of the OVA files will have 1010 somewhere towards the end of the name, that’s the one you need to use.

The documentation posted on the Cisco site is also missing a rather critical piece of information. The doc says to create the VSM the image needs to be in bootflash. So of course I copied the image to the root of bootflash. Because that’s what the doc says to do. When you try to create the VSM you get this:

1010(config-vsb-config)# virtual-service-blade-type new nexus-1000v.4.2.1.SV2.2.2.1010.ova
ERROR: ISO/OVA package not found

Here’s a great “gotcha” we ran into, maybe google will save somebody else this headache:

Two nexus 5k’s with a vpc-peer link between them. Each of them was getting a 2k connected with two fex ports. The first 2k comes up with no problems. The second 2k says “link not connected.” Of course we assume that the 2k either has an sfp instead of fex or there’s a physical cable problem. Nope.

Both 5k’s were using the same port-channel number (in this case 101). Going into the second 5k and removing port-channel 101 and building port-channel 1101 (keeping the same fex info) causes the interfaces to immediately come up.

Cisco, I understand that there are going to be weird things that come up with new architectures, but this works on 7k’s. Also, “link not connected” is totally the wrong interface status to show here. Maybe an err-disabled or something would be much more appropriate.

I was trying to upgrade and configure our 1010s before installing them in the rack and was banging my head on the desk trying to figure out why they wouldn’t boot after I dropped a config in. Apparently the control network needs to be up in order for the primary system to even boot once it’s configured…so yeah…watch out for that.

Just so everybody knows, when the documentation over at cisco.com says you can’t mix modules for VPC links they only say that you can’t mix F and M series. What they don’t tell you is that you can’t mix M modules either. We recently had an M1 series module fail and tried to move one of the port-channel links to an M2 module, the command fails when you try to add the interface to the channel-group.

Why isn’t that in the same document that says you can’t mix F and M series? I have no idea. TAC told me that you can mix M modules for regular port-channels, but the VPC peer-link requires that they be the same model.

At least when I took it all you really needed was GNS3 and some books.

There are some great videos out there too. I don’t often plug pay sites (they’ve given me nothing…promise), but cbtnuggets.com has a guy named Jemery Cioara that is becoming something of a legend in the networking community. I don’t think I’ve spoken to somebody in the network world who hasn’t seen his CCNA/CCNP series done for cbtnuggets. I did, they helped a lot with some concept stuff. Don’t think that only watching the videos will give you everything you need. There’s still that pesky memorization stuff that they throw on the exams that you can only really get out of a book, but they’re a great start.
As for GNS3 all you really need to use is a 3725 router and add different switch modules (right click on the router when it’s in the topology and Configure > Slots…add serial or switch modules from there). If you get the correct image for the 3725 you can run all the protocols covered on the exams (even IS-IS and IPv6).

I liked to come up with scenarios that were a bit more real-world based. I mean, when was the last time anybody got onto a new job to find that everything was standardized and perfectly efficient? So when putting together some of the networks for redistribution exercises or switching networks for STP practice think to yourself “How would a network look if 3 different engineers had different budgets and priorities?” Then build that.

Pretend there are some old models kicking around that don’t support newer protocols (or just haven’t been upgraded in years).

Pretend that a project was started to migrate to a different IGP, but was never completed because somebody left.

I know I had a mental block when looking at some scenarios. I would think to myself “Why in the world would this ever happen?” It happens. More often than you’d like. Most of the people I talk to lately are working on projects to fix what has happened in the past…so there will be some migration plans that look dirty, but are needed because you can’t get to the whole network in one maintenance window. So, the “why” doesn’t matter anymore, just that it “has.”

I don’t know about you, but when making some drawings I can get a bit bored. At least when I’m making the same type of drawing over and over again. So let’s look at what you can do to increase your skills, make pretty things, and not be bored.

When I’m looking at somebody elses drawing I’m often unimpressed. Mostly for the reasons I went over in this post. While I like making pretty drawings I sometimes get bored with making the same look every time. Every now and then I like to spice it up a bit. Especially if I’m only presenting things to coworkers and not management. In these cases it’s hard to get in trouble for doing something kind of fun and goofy, so I like to get a bit out there when I can.

The best way I’ve found to spice it up a bit is to find a neat template and play with it. Visio Guy (www.visguy.com) has made some great stuff and publishes them on his website. Here’s an example of what I did with a wire-frame style “Battle Zone” template (linky).

I had to take over a project because somebody left the company. They did good work and the design was solid and consistent with how things work in the company, he just wasn’t able to stay and complete the project due to circumstances outside his control. There wasn’t a whole lot for me to do, but I had to familiarize myself with the project and design, so I decided to do the drawing again. Obviously I’m not going to publish sensitive information, so names and IP’s have been redacted.

Here’s the old one:

Not a bad drawing. It gets the point across and was easy enough to follow, but I felt I could do it better…

Doesn’t that look cool? Granted, it’s the sort of thing that might get a manager to look at you kind of funny, but all the design had already been presented to change control and management, so this was just to make sure that the design was firm in my head. This still follows some of my adopted keys to design: rounded corners, bold colors, lines don’t cross when they don’t have to.

To get this done I did have to go away from the template a bit, but I think aesthetically I made it work.

Basically, it comes down to this: when you change the hardware mtu on cisco stuff IOS automagically configures the IP mtu to the hardware mtu + 24 bytes (18bytes for the ethernet header plus some pad for layer 2 or other goodies). Juniper doesn’t make that change for you. So if you change the hardware mtu, you need to set the IP mtu up as well.

2) Scripts in Excel, Access, whatever other program you like to use

Looking back I should have done this next task in Access where I get to use sql commands, but everybody has Excel, so this seemed like a better choice should I get hit by a bus or something.

I’m not a professional programmer. I know I do things that are not necessarily correct or pretty. I have a tendency to use functions instead of subs because I like to use the return value of the function during debug. I’m sure I have other bad programming habits that would drive some people crazy, but at the end of the day I can get the job done and make my life easier when the day of a change comes.

Here’s some code that takes a log file, dumps it into a new sheet with a timestamp and then pulls the vlan info I need, Vlan ID, Root Bridge, and any blocking ports into an existing sheet. It will do this for Cisco IOS switches, CatOS switches, and JunOS switches.

‘WS is current worksheet and opens a new sheet at the beginning of the run
‘I might need to move this to the functions that import the files….
Dim WS As Worksheet
Set WS = Sheets.Add
‘get the log file to parse
filePath = Application.GetOpenFilename

‘chop out the routerid from the filepath
‘this assumes that the filename is the router-id
RouterId = GetFilenameFromPath(filePath)
RouterId = Left(RouterId, Len(RouterId) – 4)

‘so the output of a couple of switches changes with the version. some didn’t have a > others did…quick fix below
If RouterId = “switch3” Or RouterId = “switch4” Then
RouterId = RouterId & “>”
End If

End Sub
________________________________________________________________________
Function GetFilenameFromPath(ByVal strPath As String) As String
‘ Returns the rightmost characters of a string upto but not including the rightmost ‘\’
‘ e.g. ‘c:\winnt\win.ini’ returns ‘win.ini’

____________________________________________________________________________________________________
Function WriteToExcel(StrArray)
‘takes the array output from ImportFile and writes it into the current sheet starting at A1
Dim counter As Integer
Dim cellname As String

ReDim Preserve DRCells(counter)
If Not rFnd Is Nothing Then
DRCells(counter) = rFnd.Address
Else
DRCells(counter) = ” ”
End If

Next counter
‘now I have 1:1 arrays with the vlan number and DR…at least I should
throwaway = MsgBox(“These should match and be one more than the count from the SecureCRT script” & vbCrLf & UBound(showVlancells) & vbCrLf & UBound(DRCells), vbOKOnly)
‘now I need to get all the blocking ports
ReDim BlockingCells(UBound(showVlancells), 4)
For counter = 1 To UBound(showVlancells)
searchString = “blocking”
If counter = UBound(showVlancells) Then
rowCounter = showVlancells(counter) & “:A” & Lastcell
Else
rowCounter = showVlancells(counter) & “:” & showVlancells(counter + 1)
End If

ReDim Preserve DRCells(counter)
‘ios output isn’t formatted friendly for this kind of search so I need to increment the drcells up one
If Not rFnd Is Nothing Then
Set rFnd = rFnd.Offset(1, 0)
DRCells(counter) = rFnd.Address
Else
DRCells(counter) = ” ”
End If

Next counter
‘now I have 1:1 arrays with the vlan number and DR…at least I should
throwaway = MsgBox(“These should match and be one more than the count from the SecureCRT script” & vbCrLf & UBound(showVlancells) & vbCrLf & UBound(DRCells), vbOKOnly)

‘ ————————————————————————————————————–
‘ FindAll – To find all instances of the1 given string and return the row numbers.
‘ If there are not any matches the function will return false
‘ ————————————————————————————————————–

‘ ————————————————————————————————————–
‘ FindAll – To find all instances of the1 given string and return the row numbers.
‘ If there are not any matches the function will return false
‘ ————————————————————————————————————–

Set rFnd = sheetname.Range(rowCounter).Find(What:=searchString, LookIn:=xlValues, LookAt:=xlPart)
If Not rFnd Is Nothing Then
rFirstAddress = rFnd.Address
Do Until rFnd Is Nothing
iArr = iArr + 1
‘ ReDim Preserve ARTemp(iArr) ‘this may need to come back later
ARTemp(iArr) = rFnd.Address ‘ rFnd.Row ‘ Store the Row where the text is found
Set rFnd = sheetname.Range(rowCounter).FindNext(rFnd)
If rFnd.Address = rFirstAddress Then Exit Do ‘ Do not allow wrapped search
Loop